CVE-2020-8137

Code injection vulnerability in blamer 1.0.0 and earlier may result in remote code execution when the input can be controlled by an attacker.

CVSS v3 9.8 CRITICAL
CVSS v2.0 7.5 HIGH

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

7.5^/10

CVSS v2.0 : HIGH

Vector : AV:N/AC:L/Au:N/C:P/I:P/A:P

Exploitability : 10.0 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
https://hackerone.com/reports/772448	Exploit Patch Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:blamer_project:blamer:*:*:*:*:*:node.js:*:*

History

No history.

Information

Published : 2020-03-20 19:15

Updated : 2024-02-28 17:47

NVD link : CVE-2020-8137

Mitre link : CVE-2020-8137

CVE.ORG link : CVE-2020-8137

JSON object : View

Products Affected

blamer_project

blamer

CWE

CWE-94

Improper Control of Generation of Code ('Code Injection')

{"id": "CVE-2020-8137", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 7.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2020-03-20T19:15:13.033", "references": [{"url": "https://hackerone.com/reports/772448", "tags": ["Exploit", "Patch", "Third Party Advisory"], "source": "support@hackerone.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-94"}]}, {"type": "Secondary", "source": "support@hackerone.com", "description": [{"lang": "en", "value": "CWE-94"}]}], "descriptions": [{"lang": "en", "value": "Code injection vulnerability in blamer 1.0.0 and earlier may result in remote code execution when the input can be controlled by an attacker."}, {"lang": "es", "value": "Una vulnerabilidad de inyecci\u00f3n de c\u00f3digo en blamer versiones 1.0.0 y anteriores, puede resultar en una ejecuci\u00f3n de c\u00f3digo remota cuando la entrada puede ser controlada por un atacante."}], "lastModified": "2020-03-25T13:49:57.600", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:blamer_project:blamer:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "08B27A90-3921-4067-B3B5-E5EA6C51200D", "versionEndExcluding": "1.0.1"}], "operator": "OR"}]}], "sourceIdentifier": "support@hackerone.com"}